MyLife worm tries to delete Windows files

A worm posing as an old-fashioned photograph of a girl holding a flower is making the rounds on the Internet. However, a bug in the worm code prevents it from wreaking havoc.
Written by Robert Vamosi, Contributor on
Fortunately, a bug in the malicious code prevents it from working as intended.

A worm posing as an old-fashioned photograph of a girl holding a flower is making the rounds on the Internet. MyLife (w32.mylife@mm) is a 30,720-byte worm written in Visual Basic and compressed using UPX. If executed, the worm will attempt to mail copies of itself to everyone in the user's address book and will attempt to delete critical Windows files. Fortunately, a bug in the current worm code prevents MyLife from deleting any files. Users of Macintosh and Linux machines are not affected. Because MyLife spreads via e-mail and currently does not damage system files, this worm rates a 4 on the ZDNet Virus Meter.

How it works
MyLife arrives as e-mail with a subject line that reads "my life ohhhhhhhhhhhhh." The body of the e-mail message contains the following text:

    How are youuuuuuuu?
    look to the digital picture it's my love
    vvvery verrrry ffffunny :-)
    my life = my car
    my car = my house

The attached file is My Life.scr.

If the user opens the attached file, the worm will display a picture of a young girl sniffing a flower. The active worm will appear as the item My Life in the Windows Task Bar. MyLife copies itself to the Windows System directory and adds itself to the following Registry key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunstrmgr = C:windowssystemMy Life.scr.

The worm will attempt to delete SYS and COM files from the root directory; COM, SYS, INI, and EXE files from Windows directory; and SYS, VXD, EXE, and DLL files from the Windows System directory. Several antivirus vendors have reported that this worm did not delete any files on their test systems.

Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached SCR file in MyLife. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include MyLife.

A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.

Editorial standards